And it happened... A security firm has managed to trick Apple's innovative Face ID with a 3D mask specially designed to fool the facial recognition system. Security firm Bkav wrote that while others have failed at successfully tricking Face ID, their mask worked because they understood "how AI of Face ID works" and then used that information to bypass it.
"The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID."
When Apple introduced its iPhone X, a number of hackers and security experts tried to break into this futuristic form of authentication. Security experts said that even if the system is infallible, Face ID introduces a new form of data collection and could be used by advertisers to track user's expressions. Apple responded to these concerns by saying that similar to Touch ID, all the Face ID calculations happen right on the device, which means no data ever leaves the user's iPhone. This was further rebutted when it was revealed how Apple was giving access to at least some of the data to third party applications.
While it depends on the user to fall for this yet another "convenience" at the risk of potentially being tracked by advertisers, the latest research from Bkav suggests that Face ID isn't even secure enough to be used as an authentication process.
One week and Face ID appears to have been broken
The Vietnamese cybersecurity firm claims to have successfully duplicated a face to unlock iPhone X with a specially crafted mask that costs just $150 in materials. [FBI will certainly rejoice this]
The firm posted the proof of concept video showing the Face ID hack. While other independent security experts are yet to confirm this especially since the video doesn't show the phone unlocking with a user's face and then his mask, at least the video proves that they did manage to fool Face ID with nothing but a composite mask of 3D printed plastic (not the expensive face-casting), silicone, makeup, and paper cutouts. It also rejects Apple's claim that only a "live" face will be able to unlock it.
"An easier way is photograph-based, artists craft a thing from its photos. Take the nose of our mask for example, its creation is not complicated at all. We had an artist make it by silicone first. Then, when we found that the nose did not perfectly meet our demand, we fixed it on our own, then the hack worked. That's why there's a part on the nose's left side that is of a different color (photo attached). So, it's easy to make the mask and beat Face ID. Here, I want to repeat that our experiment is a kind of Proof of Concept, the purpose of which is to prove a principle, other issues will be researched later."
The firm wrote that while an average user probably doesn't have much to worry about (unless you are thinking about data access and surveillance issues), targeted attacks will be made possible using Face ID since it's clearly weaker than a passcode that even sophisticated agencies like the FBI are unable to crack into.
"Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders, and agents like FBI need to understand the Face ID's issue."
Researchers wrote that the hack was in part successful because Face ID doesn't scan the entire face but focuses on a few features. "The recognition mechanism is not as strict as you think," Bkav wrote. "We just need a half face to create the mask. It was even simpler than we ourselves had thought," the firm added.
- Bkav has promised to share more details later this week; until it does we will take this with a grain of salt. Some details are available here.